The security breach that targeted sensitive data relating to RSA's SecurID two-factor authentication product has cost parent company EMC $66m in the second quarter, The Washington Post has reported.
The king's ransom was spent after RSA issued a vaguely worded letter in March warning that undisclosed information had been stolen …

COMMENTS

Any news as to the remedy?

Found anyone who is willing to say, off the record, that RSA has either provided them with new SecurID tokens, or told them that would fix the problem?

If the tokens were replaced, that would seem to indicate either the seeds were stolen or there's an implementation weakness. If it's a software update on the server side, a patch to the underlying Oracle database, etc., that's still a problem, but a very different one.

Re: Any news as to the remedy?

I don't have any definitive news, but Cain & Abel has been able to provide soft token functionality if you can provide a RSA seed file and manually entering the token codes for sync for some time.

Hence - seeds were definitely stolen and the fix will be new tokens with new associated seed files.

<wild speculation>

The possibility is that customer information was also stolen (i.e. SecurID licence numbers and licensing information) to allow the seeds to easily be tied to a customer which takes the threat from vague to useful against specific customers.

</wild speculation>

The PIN numbers that were associated with the tokens will still need to be guessed, but the security around these isn't always great (i.e. standardising on 1234 or using sellotaping the PIN code to the back of a SecurID).

New tokens

Disgraceful

This incident was handled in an absolutely disgraceful fashion.

It is wholly unacceptable that RSA has not given enough information for their customers (of one which employs me) to assess the implications of the breach and their pathetic security advice is absolutely worthless.

If I were a customer of RSA, I would be demanding replacement SecurID tokens at the very least. Having seen how seriously they care about their customers' security, only a fool would work with RSA again.

Ah ha

Where is management?

This is RSA F******in' Security for Chrissakes! I have spoken to RSA customers and they are all moving away from SecurID, as the company can no longer be trusted. Two clients told me they were lied to by RSA staff. This is a Sarbanes offense IMHO.

Damn kids...

I work in a helldesk. The day after the attack was announced, I said we would be switching from 4 digit pins to 8 character pins. About a week after that, they announced we would be switching. Two days after that, we had 2000 people forced to change. When I sat down to work, we had 125 people in queue for support with the switch. Our RSA system and call queueing system actually crashed that day.

And yet, the company I will not name will not switch from RSA. Rather, they want to switch all ~35k employees to 8 character pins. I suppose it's probably easier to let us poor underpaid helldesk geeks handle it than to just switch to something that works.

In Denial ...

What a JOKE

I know that customers have received FREE tokens from this EPIC FAIL. Its obviously the seed records or else why would the need to reissue them...

And yet still the Banks and Governments departments are refusing to swap out the technology... I mean, how can these people be head of security and still continue to use RSA. We were offered SecurEnvoy for our whole RSA estate and at a hugely discounted cost. All i can say is i'm glad we swapped, it was easy and would never consider RSA again.

The way in which RSA has handled this whole debacle is outrageous. I wonder how much of that $66m was in brown envelopes to persuade CIO's to keep the technology on board?